Virtual Users PostgreSQL Injection
Hey list, I have a setup with postfix-2.9.3,1 using virtual users from a postgresql database. A thought suddenly occurred to me, what if someone tries to send email to a user like this: '; drop table mailbox;' Does postfix properly escape fields when querying a sql database? My virtual-users configuration is below. virtual_mailbox_base = /usr/local/vmail virtual_minimum_uid = 26 virtual_uid_maps = static:26 virtual_gid_maps = static:6 maildrop_destination_recipient_limit = 1 virtual_transport = maildrop virtual_mailbox_domains = proxy:pgsql:/usr/local/etc/postfix/sql/virtual_domains_maps virtual_alias_maps = proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_maps, proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_domain_maps, proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_domain_catchall_maps virtual_mailbox_maps = proxy:pgsql:/usr/local/etc/postfix/sql/virtual_mailbox_maps, proxy:pgsql:/usr/local/etc/postfix/sql/virtual_alias_domain_mailbox_maps And in /usr/local/etc/postfix/sql/virtual_mailbox_maps: user = dbuser password = dbpass hosts = /tmp dbname = mail query = SELECT maildir FROM mailbox WHERE username='%s' AND active IS TRUE Now I see that it quotes the username, but if someone tries SQL injection, this could still be an issue. Thank you.
Re: Virtual Users PostgreSQL Injection
On 7 Jun 2012, at 9:33, Schiz0 wrote: Hey list, I have a setup with postfix-2.9.3,1 using virtual users from a postgresql database. A thought suddenly occurred to me, what if someone tries to send email to a user like this: '; drop table mailbox;' Does postfix properly escape fields when querying a sql database? I can't answer that specific question, but Postfix does do syntax checking on recipient addresses so such an address would never get to the point of being fed to a SQL database.
Re: Virtual Users PostgreSQL Injection
Schiz0: Hey list, I have a setup with postfix-2.9.3,1 using virtual users from a postgresql database. A thought suddenly occurred to me, what if someone tries to send email to a user like this: '; drop table mailbox;' Does postfix properly escape fields when querying a sql database? My Sure, Postfix is http://xkcd.com/327/ compliant. Wietse
Re: Virtual Users PostgreSQL Injection
On Thu, Jun 7, 2012 at 9:58 AM, Wietse Venema wie...@porcupine.org wrote: Schiz0: Hey list, I have a setup with postfix-2.9.3,1 using virtual users from a postgresql database. A thought suddenly occurred to me, what if someone tries to send email to a user like this: '; drop table mailbox;' Does postfix properly escape fields when querying a sql database? My Sure, Postfix is http://xkcd.com/327/ compliant. Wietse Haha, I love that comic. Thank you for the help.
